[NANOG] Limiting ICMP

Rob Thomas robt at cymru.com
Wed May 21 21:18:36 UTC 2008


Yep, agreed, we need to update those docs.  The basic ICMP filtering 
guide still resides here, and comments are welcome:

    <http://www.cymru.com/Documents/icmp-messages.html>


John Kristoff wrote:
> On Sat, 17 May 2008 23:53:00 -0400
> Drew Weaver <drew.weaver at thenap.com> wrote:
> 
>> I'm wondering if anyone else has run into this/has heard of/(is responsible for)/knows the reason behind large IP providers limiting ICMP on outbound connections to the same amounts regardless of the size of the circuit?
>>
> 
> I might be partially responsible for furthering some of that activity.
> I've done this sort of thing on initial ingress facing links (e.g. LAN
> segments with client-oriented systems) and it was me who provided the
> sample configs for the cymru junos template for limiting udp and icmp.
> 
> Perhaps I mentioned it on a mailing list or in some internal documentation
> somewhere, but the way I've done it is typically to limit those two IP
> protocols (and sometimes other things like multicast) to some fraction
> of a percent on a edge LAN ingress link speed, which is not in the
> template.  Egress, aggregate and peering/Internet facing links shouldn't
> have these limits (yes, kind of a pain to manage if you're not good at
> router config management).  Unfortunately I didn't provide all that
> detail to the cymru folks at the time and as I'm sure they are aware
> those templates are quite a bit outdated now and could easily take some
> heavy revisioning.
> 
> In the environments where I've done this, my experience was that it was
> an acceptable practice at the time and in a couple cases it did help the
> net upstream when something went wrong (e.g. this did stop some real
> DoS traffic for me more than once).  I made use of protocol counters or
> some monitoring tools to ensure they were not unnecessarily dropping
> valid packets.  Your mileage may vary of course, as it apparently does?
> 
> John
> 

-- 
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/





More information about the NANOG mailing list